The Urgency of Threat Detection in Backup Data
This presentation addresses a critical gap in cyber resilience strategy: the need to scan and hunt for threats within backup data, not just production environments. Chris Hoff and Teresa Miller explain that modern cyberattacks have reduced dwell time to as little as one hour, while organizations often take days or weeks to detect and respond. The core challenge is that malware is designed to evade detection, evolve rapidly, and can remain hidden in backup snapshots for months. When organizations need to recover from an attack, they must ensure they're restoring clean data rather than reintroducing compromised files. Cohesity's approach combines malware scanning, anomaly detection, and threat hunting capabilities that work against backup data both proactively (pre-attack) and reactively (post-attack), providing organizations with the confidence that their recovery points are free from threats.
Integration with Threat Intelligence and Recovery Workflows
The platform creates a hash of every backed-up file and compares these hashes against known malicious file databases from sources like CISA and Cohesity Red Labs. Beyond internal threat intelligence, Cohesity integrates with third-party feeds including an out-of-the-box connection to CrowdStrike Falcon's threat intelligence. This integration enables early threat detection and helps determine the blast radius of an attack by tracking file propagation across snapshots. The hash-based approach provides common telemetry that can be correlated with production security tools like SIEM, EDR, and network threat intelligence platforms. By identifying which snapshots contain threats and which are clean, organizations can make informed decisions about recovery points, whether restoring directly to production or into a clean room for forensics. This visibility into backup data integrity directly reduces recovery time objectives and overall business downtime.
